catch me if you can! detecting sandbox evasion techniques · catch me if you can! detecting sandbox...

Enigma 2020 – San Francisco, CA, US

CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES

Francis Guibernau & Ayelen Torello


ABOUT US

Francis Guibernau@OutrageousLynx

Security Researcher at Deloitte

Ayelen Torello @TorelloAyelen

Security Researcher at Deloitte


Overview - agenda

Identified TechniquesList of techniques and the different categories

defined within Environment Awareness

APT Insight & ConclusionHow we use what we learned in order to

profile and track APT groups.

Definition of the ‘Environment Awareness’ master technique and the purpose behind it

Environment Awareness

Multiple malware examples from each identified category.

In the wild Examples


ENVIRONMENT AWARENESS

Environment Awareness is the name provided to the set of high-level techniques used by attackers to attempt to detect

the sandboxing environments, virtual machines or the presence of forensic tools.


Techniques

System Architecture1 3 Sub-Techniques

System Background2

TIME-BASED detection3

USER-Based Detection4

Network-Based Detection5

6 Sub-Techniques

5 Sub-Techniques

3 Sub-Techniques

3 Sub-Techniques


SYSTEM ARCHITECTURE

System Specifications

System Memory

Disk Properties

CPU Core Count

Hardware Components

Thermal Check

Peripheral Check

Hardware IDs

System footprint

BIOS

UEFI

EFI


System ARCHITECTURE

GravityRAT

Hardware IDs

Reference: https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html

Thermal Check

HardwareComponents

HardwareComponents


System ARCHITECTURE

GravityRAT


System Specifications

CPU Core Count


SYSTEM BACKGROUND

System instrumentation

CPUID Based Instructions

WMI Queries

Process and services

Registry Keys

Mac addresses

System fingerprinting

Artifacts presence


SYSTEM BACKGROUND


CPUID Based Instructions

WMI Queries

Process and services

Registry Keys

Mac addresses

System fingerprinting

Artifacts presenceHKEY_LOCAL_MACHINE\SOFTWARE\Oracle\Virtual Box Guest Additions

00:05:69:xx:xx:xx VMWare00:0C:29:xx:xx:xx VMWare00:1C:14:xx:xx:xx VMWare00:50:56:xx:xx:xx VMWare00:15:5D:xx:xx:xx Hyper V00:16:3E:xx:xx:xx Xen54:52:00:xx:xx:xx KVM

C:\windows\System32\Drivers\VBoxMouse.sysC:\windows\System32\Drivers\VBoxGuest.sysC:\windows\System32\Drivers\VBoxSF.sysC:\windows\System32\Drivers\VBoxVideo.sys


SYSTEM BACKGROUND

WMI Queries

GravityRAT




SYSTEM BACKGROUND

GravityRAT


Mac addresses


SYSTEM BACKGROUND

GravityRATRegistry Keys



TIME-BASED DETECTION

time bomb

Scheduled download

System events

Extended sleep

System uptime


TIME-BASED DETECTION

Reference: https://unit42.paloaltonetworks.com/ticked-off-upatre-malwares-simple-anti-analysis-trick-to-defeat-sandboxes/

Systemuptime

upatre


USER-BASED DETECTION

software and applications

user interaction

user properties and configurations



user interaction



fin7

user interaction


network-BASED DETECTION

Open Ports

Connectivity Availability

Network Check


NETWORK-BASED DETECTION

Network Check

PowerShell Empire


Results – APT Tracking

suspected

N. Korea7,5%

suspectedRussia 12% Unknown

28%

suspectedCHINA 30%

According to Vendor’s Group Attribution


Results – APT Tracking

Time-based Detection

Time-based Detection

System Background

Network-based Detection

APT 1

TA505

APT 28

Lazarus

According to Vendor’s Group Attribution


T1497 – Virtualization/Sandbox Evasion

RESULTS & INSIGHT

Improvement on APT Insight

APT OverlappingEvasion Techniques knowledge

Mitre Framework Updated (2019)


Closing remarks

• Evasion techniques are constantly evolving.

• Use different profiles for your Sandbox and avoid generic ones.

• Keep all your systems up-to-date to avoid Malware exploiting known vulnerabilities.


QUESTIONS

catch me if you can! detecting sandbox evasion techniques · catch me if you can! detecting sandbox...

Documents